OpenAM Unauthenticated Session Hijacking via Information Exposure in CDCServlet
High severity
GitHub Reviewed
Published
Jun 23, 2026
in
OpenIdentityPlatform/OpenAM
•
Updated Jun 23, 2026
Package
Affected versions
<= 16.0.6
Patched versions
16.1.1
Description
Published to the GitHub Advisory Database
Jun 23, 2026
Reviewed
Jun 23, 2026
Last updated
Jun 23, 2026
Summary
Description
An Information Exposure Through Sent Data (CWE-201) issue in OpenAM's Cross-Domain Single Sign-On (CDSSO) servlet allows a logged-in user's raw OpenAM session token to be POSTed to an attacker-controlled URL. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1.
An attacker who can induce a logged-in victim to visit a crafted URL may receive the victim's session credential, which could enable session hijacking.
Impact
OpenAM deployments through version 16.0.6 that have CDSSO enabled are potentially affected. The CDSSO component is commonly enabled in multi-domain deployments. Exploitation requires user interaction — an authenticated user must be induced to visit an attacker-crafted URL — and is further gated on a non-default configuration being absent.
Patch
This has been patched in OpenAM Community Edition version 16.1.1. Users are encouraged to update to the latest release.
References